CN107070880A - A kind of method and system of single-sign-on, a kind of authentication center's server - Google Patents
A kind of method and system of single-sign-on, a kind of authentication center's server Download PDFInfo
- Publication number
- CN107070880A CN107070880A CN201710084420.6A CN201710084420A CN107070880A CN 107070880 A CN107070880 A CN 107070880A CN 201710084420 A CN201710084420 A CN 201710084420A CN 107070880 A CN107070880 A CN 107070880A
- Authority
- CN
- China
- Prior art keywords
- token
- user
- signed
- request
- sent
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention provides a kind of method and system of single-sign-on, a kind of authentication center's server, this method, applied to authentication center's server, including:Receive and initiate the request for applying for token that the system of logging request is sent;Obtain the user profile of the corresponding user of request of application token;According to the request of application token, token is generated;Preserve the authentication information and user profile of token;Token is sent to the system for initiating logging request, so that the system for initiating logging request sends token to the system to be signed in;Receive the token that the system to be signed in is sent;According to the authentication information of the token of preservation, the token that the system to be signed in is sent is verified, when token is by verifying, allow a user to log into the system to be signed in, user profile is sent to the system to be signed in, so that the system to be signed in creates the user conversation of user according to user profile.The present invention can improve the security of single-sign-on.
Description
Technical field
The present invention relates to field of computer technology, in more particularly to a kind of method and system of single-sign-on, a kind of certification
Central server.
Background technology
With the fast development of science and technology, same user may register with account in multiple different application systems,
Also multiple application systems are generally comprised in same enterprise, the application that by single-sign-on User logs in can be facilitated different is
System.
In the prior art, when user logs in some application system for the first time by gate system, it is necessary to enter to the user
Row authentication, when the user logs in next time, without carrying out authentication again, and can be directly logged onto the gate system
In each corresponding application system.For example, gate system correspondence application system A and application system B, user A are logical for the first time
, it is necessary to authentication be carried out to user A, by can just be stepped on after authentication with single-point when crossing door system login application system A
Application system A is recorded, when user A logins next time, without carrying out authentication again, also, user A directly can also pass through door
System single-sign-on is into application system B.
Visible by foregoing description, in the prior art in the scheme of single-sign-on, disabled user can be easily using legal
Record access each application system when user logs in for the first time, security is relatively low.
The content of the invention
The embodiments of the invention provide a kind of method and system of single-sign-on, a kind of authentication center's server, Neng Gouti
The security of high single-sign-on.
In a first aspect, the embodiments of the invention provide a kind of method of single-sign-on, applied to authentication center's server, bag
Include:
Receive and initiate the request for applying for token that the system of logging request is sent;
Obtain the user profile of the corresponding user of request of the application token;
According to the request of the application token, token is generated;
Preserve the authentication information and the user profile of the token;
The token is sent to the system of the initiation logging request, so that the system for initiating logging request is to will step on
The system recorded sends the token;
The token that the system to be signed in described in receiving is sent;
According to the authentication information of the token of preservation, the token that the system to be signed in is sent is tested
Card, when the token is by verifying, it is allowed to the User logs in system to be signed in described in, to be signed in to described
System sends the user profile, so that the system to be signed in creates the user of the user according to the user profile
Session.
Further, the request of the application token includes:The corresponding system to be signed in of the token
Destination address;
After the request for the application token that the system for receiving initiation logging request is sent, further comprise:
The destination address is obtained from the request of the application token;
The authentication information of the token includes:The generation time of the token, the destination address;
Further comprise:Pre-set token out-of-service time length;
The authentication information of the token according to preservation, is verified to the token, including:
Whether the token that the system to be signed in described in judging is sent meets:Receive the system to be signed in
The time difference of the time for the token sent and the generation time of the token are not more than the token out-of-service time length, and
The address of system of the destination address preserved with sending the token is identical, if it is, to be signed in described in judging
The token that system is sent by checking, otherwise, it is determined that the token sent of the system to be signed in not over
Checking.
Further, before the request for the application token that the system for receiving initiation logging request is sent, further
Including:
Receive the user authentication information of user's input;
Authentication is carried out to the user according to the user authentication information, when the user is by authentication,
Perform described receive and initiate the request for applying for token that the system of logging request is sent, when the user is not over authentication
When, terminate current process.
Further, this method further comprises:When the token is by verifying, the token is destroyed.
Second aspect, the embodiments of the invention provide a kind of authentication center's server, including:
First receiving unit, the request for applying for token that the system of logging request is sent is initiated for receiving;
First acquisition unit, the user profile of the corresponding user of request for obtaining the application token;
Generation unit, for the request according to the application token, generates token;
Storage unit, authentication information and the user profile for preserving the token;
Transmitting element, sends the token, so that the initiation is logged in and asked for the system to the initiation logging request
The system asked sends the token to the system to be signed in;
Second receiving unit, for receiving the token that the system to be signed in is sent;
Authentication unit, for the authentication information of the token according to preservation, sends to the system to be signed in
The token is verified, when the token is by verifying, it is allowed to the User logs in system to be signed in described in, to
The system to be signed in sends the user profile, so that the system to be signed in is created according to the user profile
The user conversation of the user.
Further, the request of the application token includes:The corresponding system to be signed in of the token
Destination address;
Further comprise:Second acquisition unit, for obtaining the destination address from the request of the application token;
The authentication information of the token includes:The generation time of the token, the destination address;
Further comprise:Setting unit, for setting token out-of-service time length;
The authentication unit, for judging whether the token that the system to be signed in is sent meets:Receive
The time difference of the time for the token that the system to be signed in is sent and the generation time of the token are not more than described
Token out-of-service time length, and the address of system of the destination address preserved with sending the token is identical, if it is,
The token that the system to be signed in described in judging is sent is by checking, otherwise, it is determined that the system to be signed in is sent
The token not over checking.
Further, authentication center's server further comprises:3rd receiving unit, for receiving user's input
User authentication information;
Identity authenticating unit, for carrying out authentication to the user according to the user authentication information, is used when described
When family is by authentication, first receiving unit is triggered, when the user is not over authentication, terminates current stream
Journey.
Further, the authentication unit, is further used for when the token is by verifying, destroys the token.
The third aspect, the embodiments of the invention provide a kind of system of single-sign-on, including:
Authentication center's server as described in any in second aspect, at least one be provided with logging request blocker be
System;
At least one described system for being provided with logging request blocker includes:Initiate the system of logging request, to step on
The system recorded;
Logging request blocker in the system for initiating logging request, for being sent to authentication center's server
Apply for the request of token, receive the token that authentication center's server is sent, the token, which is sent to, described will sign in
System;
Logging request blocker in the system to be signed in, the system hair for intercepting the initiation logging request
The token come, sends the token to authentication center's server, is sent when receiving authentication center's server
User profile when, according to the user profile create user conversation.
Further, the logging request blocker in the system for initiating logging request, sends for receiving user
The request for the system to be signed in, judges whether the user has logged in authentication center's server described in logging in, if it is,
The request for being sent to authentication center's server and applying for token is then performed, otherwise, the user is redirected to described
The login interface of authentication center's server, so that described input user authentication information by the login interface;
Authentication center's server, is further used for testing by the user that the login interface receives user's input
Demonstrate,prove information;Authentication is carried out to the user according to the user authentication information, when the user is by authentication, held
Described receive of row initiates the request for applying for token that the system of logging request is sent, when the user is not over authentication
When, terminate current process.
In embodiments of the present invention, when user needs the system to be signed in, initiating the system of logging request needs
Obtain server in certification and send token, the token is sent to the system to be signed in, the system to be signed in will be received
Token be sent to authentication center's server and verified, only by checking after, the system to be signed in can just be directed to the use
Family creates user conversation, realizes User logs in the system to be signed in, if user does not have a token, or token not over
Checking, the system that can not be all signed in improves the security of single-sign-on.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
There is the accompanying drawing used required in technology description to be briefly described, it should be apparent that, drawings in the following description are the present invention
Some embodiments, for those of ordinary skill in the art, on the premise of not paying creative work, can also basis
These accompanying drawings obtain other accompanying drawings.
Fig. 1 is a kind of flow chart of the method for single-sign-on that one embodiment of the invention is provided;
Fig. 2 is the flow chart of the method for another single-sign-on that one embodiment of the invention is provided;
Fig. 3 is a kind of schematic diagram for authentication center's server that one embodiment of the invention is provided;
Fig. 4 is the schematic diagram for another authentication center's server that one embodiment of the invention is provided;
Fig. 5 is a kind of schematic diagram of the system for single-sign-on that one embodiment of the invention is provided.
Embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with the embodiment of the present invention
In accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is
A part of embodiment of the present invention, rather than whole embodiments, based on the embodiment in the present invention, those of ordinary skill in the art
The every other embodiment obtained on the premise of creative work is not made, belongs to the scope of protection of the invention.
As shown in figure 1, the embodiments of the invention provide a kind of method of single-sign-on, applied to authentication center's server,
This method may comprise steps of:
Step 101:Receive and initiate the request for applying for token that the system of logging request is sent;
Step 102:Obtain the user profile of the corresponding user of request of the application token;
Step 103:According to the request of the application token, token is generated;
Step 104:Preserve the authentication information and the user profile of the token;
Step 105:The token is sent to the system of the initiation logging request, so that the initiation logging request is
Unite and send the token to the system to be signed in;
Step 106:The token that the system to be signed in described in receiving is sent;
Step 107:According to the authentication information of the token of preservation, the order sent to the system to be signed in
Board is verified, when the token is by verifying, it is allowed to the User logs in system to be signed in described in, is wanted to described
The system signed in sends the user profile, so that the system to be signed in creates described use according to the user profile
The user conversation at family.
In embodiments of the present invention, when user needs the system to be signed in, initiating the system of logging request needs
Obtain server in certification and send token, the token is sent to the system to be signed in, the system to be signed in will be received
Token be sent to authentication center's server and verified, only by checking after, the system to be signed in can just be directed to the use
Family creates user conversation, realizes User logs in the system to be signed in, if user does not have a token, or token not over
Checking, the system that can not be all signed in improves the security of single-sign-on.
In an embodiment of the present invention, the request of the application token includes:To be logged in described in the token is corresponding
The destination address of the system arrived;
After the request for the application token that the system for receiving initiation logging request is sent, further comprise:
The destination address is obtained from the request of the application token;
The authentication information of the token includes:The generation time of the token, the destination address;
Further comprise:Pre-set token out-of-service time length;
The authentication information of the token according to preservation, is verified to the token, including:
Whether the token that the system to be signed in described in judging is sent meets:Receive the system to be signed in
The time difference of the time for the token sent and the generation time of the token are not more than the token out-of-service time length, and
The address of system of the destination address preserved with sending the token is identical, if it is, to be signed in described in judging
The token that system is sent by checking, otherwise, it is determined that the token sent of the system to be signed in not over
Checking.
In embodiments of the present invention, the term of validity of token is limited by token out-of-service time length, it is to avoid token is always
In effective state, once this token is obtained by disabled user, very big security threat is caused to single-sign-on.Pass through mesh
Mark address to limit the use scope of token so that each token can only log in the corresponding system to be signed in, it is to avoid same
Individual token can log in multiple systems, and larger security threat is caused to single-sign-on.Wherein, token out-of-service time length takes
Value scope can be [500 milliseconds, 5 seconds].For example:Token out-of-service time length is 1 second, 2 seconds etc..
In an embodiment of the present invention, it is described receive initiate logging request system send application token request it
Before, further comprise:
Receive the user authentication information of user's input;
Authentication is carried out to the user according to the user authentication information, when the user is by authentication,
Perform described receive and initiate the request for applying for token that the system of logging request is sent, when the user is not over authentication
When, terminate current process.
In embodiments of the present invention, only may be eligible to obtain order by the user of the authentication of authentication center's server
Board.By causing the security of single-sign-on higher to authentication and token authentication.
In an embodiment of the present invention, this method further comprises:When the token is by verifying, the order is destroyed
Board.
In embodiments of the present invention, a token is used only once, it is to avoid token is reused, and can reduce token
The probability for being illegally accessed and using, improves the safety of single-sign-on.
As shown in Fig. 2 the embodiments of the invention provide a kind of method of single-sign-on, this method takes applied to authentication center
Business device, in embodiments of the present invention, the system for initiating logging request are system A, and the system to be signed in is system B.User needs
Will be from system A single-sign-ons into system B.This method may comprise steps of:
Step 201:Pre-set token out-of-service time length.
Step 202:The request for the application token that reception system A is sent, the request of this application token includes system B target
Address.
Specifically, application token request can be:http(s):The host addresses of // authentication center server/
asktokenThe address of the url=systems to be signed in.
For example, application token request can be:http(s):The host addresses of // authentication center server/
asktokenUrl=destination addresses.
Step 203:Destination address is obtained from the request of application token.
Step 204:Obtain the user profile of the corresponding user of request of application token.
User profile can be obtained from the session set up with system A.
User profile can include:ID of user etc. is used for the information for setting up user conversation.
Step 205:According to the request of application token, token is generated.
Specifically, a GUID (Globally Unique Identifier, GUID) lattice can be generated
The character string of formula, regard the character string as token.
The logging request blocker for initiating token application request is returned to as token.
Step 206:Preserve generation time, destination address and the user profile of token.
Specifically, the generation time of user profile, the token related to token and destination address can be generated a note
Recording playback is in set to be verified is waited.When preserving destination address, the URL (Uniform of the request of application token can be directly preserved
Resoure Locator, uniform resource locator).
Step 207:Token is sent to system A, so that system A sends token to system B.
Specifically, token can be sent to system B by system A by following form:
http(s):// system B host addresses/sso/ tokens.
Step 208:The token that reception system B is sent.
Specifically, system B is received after the token of system A transmissions, and the token is sent into authentication center's server progress
Certification.
Token can be sent to authentication center's server by system B by following form:
http(s):Host addresses/verifytoken/ tokens of // authentication center server.
Step 209:Judge whether the token that system B is sent meets:The time for the token that the system B of receiving is sent and token
Time difference of generation time be not more than token out-of-service time length, and the destination address that preserves and send token system ground
Location is identical, if it is, performing step 210, otherwise, performs step 211.
Specifically, authentication center's server carries out ageing checking according to the generation time of token to the token received,
Determine whether the token is effective.Authentication center's server according to the destination address of preservation, verify the token that receives whether with guarantor
The destination address deposited is corresponding.
Authentication center's server can according to send token system set up session determine receive token come
Source, that is, it can determine the address for the system that transmission gives token.
Step 210:User profile is sent to system B, so that system B creates the user conversation of user according to user profile.
Specifically, when system B receives the user profile that authentication center's server is sent, it is determined that authentication center services
Device allows logging in system by user B.System B creates user conversation according to user profile so that the user can sign in system B,
Realization is interacted with system B's.
Step 211:Forbid logging in system by user B, terminate current process.
In embodiments of the present invention, authentication center's server produce token have it is ageing, while being only used for one
The single-sign-on of system, authentication center's server can verify the timeliness of token when being connected to token authentication request, and be treated according to sending
Whether the address validation of the system of the token of the checking system is the system to be signed in.By these mechanism, single-point is being realized
While login, third party's Malware can be avoided to intercept and capture token and for the possibility of other purposes, with very high peace
Quan Xing.
As shown in figure 3, the embodiments of the invention provide a kind of authentication center's server, including:
First receiving unit 301, the request for applying for token that the system of logging request is sent is initiated for receiving;
First acquisition unit 302, the user profile of the corresponding user of request for obtaining the application token;
Generation unit 303, for the request according to the application token, generates token;
Storage unit 304, authentication information and the user profile for preserving the token;
Transmitting element 305, sends the token, so that described initiate to log in for the system to the initiation logging request
The system of request sends the token to the system to be signed in;
Second receiving unit 306, for receiving the token that the system to be signed in is sent;
Authentication unit 307, for the authentication information of the token according to preservation, sends to the system to be signed in
The token verified, when the token is by verifying, it is allowed to the User logs in system to be signed in described in,
The user profile is sent to the system to be signed in, so that the system to be signed in is created according to the user profile
Build the user conversation of the user.
In an embodiment of the present invention, the request of the application token includes:To be logged in described in the token is corresponding
The destination address of the system arrived;
Further comprise:Second acquisition unit, for obtaining the destination address from the request of the application token;
The authentication information of the token includes:The generation time of the token, the destination address;
Further comprise:Setting unit, for setting token out-of-service time length;
The authentication unit, for judging whether the token that the system to be signed in is sent meets:Receive
The time difference of the time for the token that the system to be signed in is sent and the generation time of the token are not more than described
Token out-of-service time length, and the address of system of the destination address preserved with sending the token is identical, if it is,
The token that the system to be signed in described in judging is sent is by checking, otherwise, it is determined that the system to be signed in is sent
The token not over checking.
As shown in figure 4, in an embodiment of the present invention, authentication center's server further comprises:3rd receiving unit
401, the user authentication information for receiving user's input;
Identity authenticating unit 402, for carrying out authentication to the user according to the user authentication information, when described
When user is by authentication, first receiving unit is triggered, when the user is not over authentication, terminates current
Flow.
In an embodiment of the present invention, authentication center's server, the authentication unit, are further used for working as the token
During by verifying, the token is destroyed.
The embodiments of the invention provide a kind of system of single-sign-on, including:
Any described authentication center's server in the embodiment of the present invention, at least one be provided with logging request blocker
System;
At least one described system for being provided with logging request blocker includes:Initiate the system of logging request, to step on
The system recorded;
Logging request blocker in the system for initiating logging request, for being sent to authentication center's server
Apply for the request of token, receive the token that authentication center's server is sent, the token, which is sent to, described will sign in
System;
Logging request blocker in the system to be signed in, the system hair for intercepting the initiation logging request
The token come, sends the token to authentication center's server, is sent when receiving authentication center's server
User profile when, according to the user profile create user conversation.
In embodiments of the present invention, it is that the system that each user can be arrived with single-sign-on sets logging request blocker, should
The operation logic realized and logged in needed for single-sign-on using the system of this single-sign-on is encapsulated in logging request blocker, often
Individual user can with single-sign-on to system by easy configuration be that unified certification and single-sign-on services can be achieved, greatly letter
Change the implementation process of single-sign-on, save implementation cost.
A kind of system of single-sign-on provided in an embodiment of the present invention provides authentication service and interception service, authentication service
By authentication center, server is realized, interception service is realized by logging request blocker.Authentication service can be deployed to individually
WEB application, is serviced to system with user certification that can be arrived for each user with single-sign-on etc..
As shown in figure 5, the embodiments of the invention provide a kind of system of single-sign-on, including:
Any described authentication center's server 501 in the embodiment of the present invention, initiate the system 502 of logging request and to step on
The system 503 recorded, initiating the system 502 of logging request includes logging request blocker 5021, the system 503 to be signed in
Include logging request blocker 5031.
In an embodiment of the present invention, the logging request blocker in the system for initiating logging request, for receiving
The request for the system to be signed in described in the login that user sends, judges whether the user has logged in authentication center's service
Device, if it is, the request for being sent to authentication center's server and applying for token is performed, otherwise, by user weight
The login interface of authentication center's server is directed to, so that described input user authentication information by the login interface;
Authentication center's server, is further used for testing by the user that the login interface receives user's input
Demonstrate,prove information;Authentication is carried out to the user according to the user authentication information, when the user is by authentication, held
Described receive of row initiates the request for applying for token that the system of logging request is sent, when the user is not over authentication
When, terminate current process.
In embodiments of the present invention, authentication center's server can provide account management service, user's checking service, token
Management service.Wherein, based on account management service, authentication center's server can be realized to be managed to the account of user, can
To set the authentication mode for needing to use to user.Based on user's checking service, authentication center's server can be realized to user
Carry out authentication, can provide user name+password, CA (Certificate Authority, digital certificate authentication center),
The various ways such as USB KEY.Wherein, can be account and password of user etc. with the user authentication information of input.Based on token
Management service, authentication center's server can realize the functions such as the generation of token, the checking of token, the destruction of token.
In embodiments of the present invention, when user is by authentication, the user can be created in authentication center's server
Session, and the user is redirected to the logging request blocker in the system for initiating logging request, initiating logging request is
The address that logging request blocker in system creates the user conversation of the user and user guiding was originally asked to it.
In embodiments of the present invention, when user is from a system for deploying logging request blocker, single-sign-on is arrived
During another system, logging request blocker must be disposed in the two systems.
In embodiments of the present invention, when user initiates single-sign-on from a system for deploying logging request blocker
When asked, it is necessary to send a single-sign-on for containing customizing messages to the system, contained in the customizing messages and want single-point
The address of the system signed in, and represent that this request is the markup character string of single-sign-on request;The logging request blocker
Intercept after this request, a token can be asked to authentication center's server, and token is received and sent by a specific chain
To the system for wanting single-sign-on to arrive.
Wherein, the single-sign-on request of user's hair can be accomplished by the following way:
http(s):Host addresses/tokensso of the system of // initiation logging requestThe url=systems to be signed in
Address
" tokensso " the instruction manual therein request is single-sign-on request.
In embodiments of the present invention, logging request blocker can be the intercepting component of a http request.It is mainly made
With being whether checking user logs in, and authentication center server is called to complete single-sign-on.Logging request blocker encapsulates
Three method, systems realize all logics of single-sign-on.
The embodiment of the present invention significantly reduces other systems due to interrelated logic has been encapsulated in logging request blocker
Application difficulty, by set i.e. can be used, mainly implementation steps are as follows:
The web applications of authentication center's server are disposed, and complete user initially, and token validity set of time.
Logging request blocker is disposed in the application system bin catalogues for realize single-sign-on using the embodiment of the present invention
Dll, and add in web.config following information:
<httpModules>
<Add name=" SSOProvider " type=" Inspur.SSO.Provider, Inspur.SSO "/>
</httpModules>
The embodiments of the invention provide a kind of computer-readable recording medium, including execute instruction, when the computing device of storage control
During the execute instruction, the method that the storage control performs any single-sign-on in the embodiment of the present invention.
The embodiments of the invention provide a kind of storage control, including:Processor, memory and bus;
The memory is used to store execute instruction, and the processor is connected with the memory by the bus, when
During the storage control operation, the execute instruction of memory storage described in the computing device, so that the storage
The method that controller performs any single-sign-on in the embodiment of the present invention.
The contents such as the information exchange between each unit, implementation procedure in said apparatus, due to implementing with the inventive method
Example is based on same design, and particular content can be found in the narration in the inventive method embodiment, and here is omitted.
Each embodiment of the invention at least has the advantages that:
1st, in embodiments of the present invention, when user needs the system to be signed in, initiating the system of logging request needs
Obtain server in certification and send token, the token is sent to the system to be signed in, the system to be signed in will be received
To token be sent to authentication center's server and verified, only by checking after, the system to be signed in just can be for should
User creates user conversation, realizes User logs in the system to be signed in, if user does not have token, or token does not lead to
Checking is crossed, the system that can not be all signed in improves the security of single-sign-on.
2nd, in embodiments of the present invention, authentication center's server produce token have it is ageing, while being only used for one
The single-sign-on of individual system, authentication center's server can verify the timeliness of token when being connected to token authentication request, and according to sending
Whether the address validation of the system of the token to be verified system is the system to be signed in.It is single realizing by these mechanism
While point is logged in, third party's Malware can be avoided to intercept and capture token and for the possibility of other purposes, with very high
Security.
3rd, in embodiments of the present invention, it is that the system that each user can be arrived with single-sign-on sets logging request blocker,
The operation logic realized and logged in needed for single-sign-on using the system of this single-sign-on is encapsulated in the logging request blocker,
Each user can with single-sign-on to system by easy configuration be achievable unified certification and single-sign-on services, greatly
The implementation process of single-sign-on is simplified, implementation cost has been saved.
It should be noted that herein, such as first and second etc relational terms are used merely to an entity
Or operation makes a distinction with another entity or operation, and not necessarily require or imply exist between these entities or operation
Any this actual relation or order.Moreover, term " comprising ", "comprising" or its any other variant be intended to it is non-
It is exclusive to include, so that process, method, article or equipment including a series of key elements not only include those key elements,
But also other key elements including being not expressly set out, or also include solid by this process, method, article or equipment
Some key elements.In the absence of more restrictions, by sentence, " including the key element that a 〃 " is limited is not arranged
Except also there is other identical factor in the process including the key element, method, article or equipment.
One of ordinary skill in the art will appreciate that:Realizing all or part of step of above method embodiment can pass through
Programmed instruction related hardware is completed, and foregoing program can be stored in the storage medium of embodied on computer readable, the program
Upon execution, the step of including above method embodiment is performed;And foregoing storage medium includes:ROM, RAM, magnetic disc or light
Disk etc. is various can be with the medium of store program codes.
It is last it should be noted that:Presently preferred embodiments of the present invention is the foregoing is only, the skill of the present invention is merely to illustrate
Art scheme, is not intended to limit the scope of the present invention.Any modification for being made within the spirit and principles of the invention,
Equivalent substitution, improvement etc., are all contained in protection scope of the present invention.
Claims (10)
1. a kind of method of single-sign-on, it is characterised in that applied to authentication center's server, including:
Receive and initiate the request for applying for token that the system of logging request is sent;
Obtain the user profile of the corresponding user of request of the application token;
According to the request of the application token, token is generated;
Preserve the authentication information and the user profile of the token;
The token is sent to the system of the initiation logging request, so that the system for initiating logging request is to will sign in
System send the token;
The token that the system to be signed in described in receiving is sent;
According to the authentication information of the token of preservation, the token that the system to be signed in is sent is verified,
When the token is by verifying, it is allowed to the User logs in system to be signed in described in, to it is described to be signed in be
System sends the user profile, so that the system to be signed in creates user's meeting of the user according to the user profile
Words.
2. according to the method described in claim 1, it is characterised in that
The request of the application token includes:The destination address of the corresponding system to be signed in of the token;
After the request for the application token that the system for receiving initiation logging request is sent, further comprise:
The destination address is obtained from the request of the application token;
The authentication information of the token includes:The generation time of the token, the destination address;
Further comprise:Pre-set token out-of-service time length;
The authentication information of the token according to preservation, is verified to the token, including:
Whether the token that the system to be signed in described in judging is sent meets:The system to be signed in is received to send
Time difference of generation time of time and the token of the token be not more than the token out-of-service time length, and preservation
System of the destination address with sending the token address it is identical, if it is, the system to be signed in described in judging
The token sent is by checking, otherwise, it is determined that the token that the system to be signed in is sent is not over checking.
3. according to the method described in claim 1, it is characterised in that
Before the request for the application token that the system for receiving initiation logging request is sent, further comprise:
Receive the user authentication information of user's input;
Authentication is carried out to the user according to the user authentication information, when the user is by authentication, performed
Described receive initiates the request for applying for token that the system of logging request is sent, when the user is not over authentication,
Terminate current process.
4. according to any described method in claim 1-3, it is characterised in that
Further comprise:When the token is by verifying, the token is destroyed.
5. a kind of authentication center's server, it is characterised in that including:
First receiving unit, the request for applying for token that the system of logging request is sent is initiated for receiving;
First acquisition unit, the user profile of the corresponding user of request for obtaining the application token;
Generation unit, for the request according to the application token, generates token;
Storage unit, authentication information and the user profile for preserving the token;
Transmitting element, the token is sent for the system to the initiation logging request, so that the initiation logging request
System sends the token to the system to be signed in;
Second receiving unit, for receiving the token that the system to be signed in is sent;
Authentication unit, for the authentication information of the token according to preservation, the system to be signed in is sent described in
Token is verified, when the token is by verifying, it is allowed to the User logs in system to be signed in described in, to described
The system to be signed in sends the user profile, so that the system to be signed in is according to being created the user profile
The user conversation of user.
6. authentication center's server according to claim 5, it is characterised in that
The request of the application token includes:The destination address of the corresponding system to be signed in of the token;
Further comprise:Second acquisition unit, for obtaining the destination address from the request of the application token;
The authentication information of the token includes:The generation time of the token, the destination address;
Further comprise:Setting unit, for setting token out-of-service time length;
The authentication unit, for judging whether the token that the system to be signed in is sent meets:Receive described
The time difference of the time for the token that the system to be signed in is sent and the generation time of the token are not more than the token
Out-of-service time length, and the address of system of the destination address preserved with sending the token is identical, if it is, judging
The token that the system to be signed in is sent is by checking, otherwise, it is determined that the institute that the system to be signed in is sent
Token is stated not over checking.
7. authentication center's server according to claim 5, it is characterised in that
Further comprise:3rd receiving unit, the user authentication information for receiving user's input;
Identity authenticating unit, for carrying out authentication to the user according to the user authentication information, when the user is logical
When crossing authentication, first receiving unit is triggered, when the user is not over authentication, terminates current process.
8. according to any described authentication center's server in claim 5-7, it is characterised in that
The authentication unit, is further used for when the token is by verifying, destroys the token.
9. a kind of system of single-sign-on, it is characterised in that including:
Authentication center's server as described in any in claim 5-8, at least one be provided with logging request blocker be
System;
At least one described system for being provided with logging request blocker includes:Initiate the system of logging request, to sign in
System;
Logging request blocker in the system for initiating logging request, applies for being sent to authentication center's server
The request of token, receives the token that authentication center's server is sent, by the token be sent to it is described to be signed in be
System;
Logging request blocker in the system to be signed in, sends for intercepting the system of the initiation logging request
The token, the token is sent to authentication center's server, when receiving the use that authentication center's server is sent
During the information of family, user conversation is created according to the user profile.
10. system according to claim 9, it is characterised in that
Logging request blocker in the system for initiating logging request, will be logged in for receiving described in the login that user sends
The request of the system arrived, judges whether the user has logged in authentication center's server, if it is, performing described to institute
The request that authentication center's server sends application token is stated, otherwise, the user authentication center's server is redirected to
Login interface so that it is described pass through the login interface input user authentication information;
Authentication center's server, is further used for receiving the user's checking letter that the user inputs by the login interface
Breath;Authentication is carried out to the user according to the user authentication information, when the user is by authentication, institute is performed
State the request for receiving the application token that the system for initiating logging request is sent, when the user is not over authentication, knot
Beam current process.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710084420.6A CN107070880A (en) | 2017-02-16 | 2017-02-16 | A kind of method and system of single-sign-on, a kind of authentication center's server |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710084420.6A CN107070880A (en) | 2017-02-16 | 2017-02-16 | A kind of method and system of single-sign-on, a kind of authentication center's server |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107070880A true CN107070880A (en) | 2017-08-18 |
Family
ID=59621390
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710084420.6A Pending CN107070880A (en) | 2017-02-16 | 2017-02-16 | A kind of method and system of single-sign-on, a kind of authentication center's server |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107070880A (en) |
Cited By (23)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107911363A (en) * | 2017-11-14 | 2018-04-13 | 福建中金在线信息科技有限公司 | User information store method, device and server |
CN108769041A (en) * | 2018-06-06 | 2018-11-06 | 深圳壹账通智能科技有限公司 | Login method, system, computer equipment and storage medium |
CN109347864A (en) * | 2018-11-22 | 2019-02-15 | 杭州迪普科技股份有限公司 | Single-point logging method and device based on Virtual Private Network |
WO2019095567A1 (en) * | 2017-11-15 | 2019-05-23 | 平安科技(深圳)有限公司 | Single sign-on verification device, method, and computer readable storage medium |
CN109802835A (en) * | 2019-01-25 | 2019-05-24 | 北京中电普华信息技术有限公司 | A kind of safety certifying method, system and API gateway |
CN109936579A (en) * | 2019-03-21 | 2019-06-25 | 广东瑞恩科技有限公司 | Single-point logging method, device, equipment and computer readable storage medium |
CN110247907A (en) * | 2019-06-10 | 2019-09-17 | 深兰科技(上海)有限公司 | A kind of multi-application platform access method, apparatus and system |
CN110430205A (en) * | 2019-08-09 | 2019-11-08 | 深圳前海微众银行股份有限公司 | Single-point logging method, device, equipment and computer readable storage medium |
CN110781482A (en) * | 2019-10-12 | 2020-02-11 | 广州酷旅旅行社有限公司 | Login method, login device, computer equipment and storage medium |
CN110855640A (en) * | 2019-10-30 | 2020-02-28 | 北京市天元网络技术股份有限公司 | CAS-based login credential destruction method and device |
CN111949955A (en) * | 2020-07-30 | 2020-11-17 | 山东英信计算机技术有限公司 | Single sign-on method, device and equipment for web system and readable storage medium |
CN112087425A (en) * | 2020-07-30 | 2020-12-15 | 山东浪潮通软信息科技有限公司 | Login method, equipment and medium of ERP software system |
CN112104641A (en) * | 2020-09-11 | 2020-12-18 | 中国联合网络通信集团有限公司 | Login form conversion method and device, storage medium and electronic equipment |
CN112231691A (en) * | 2020-09-29 | 2021-01-15 | 新华三信息安全技术有限公司 | Equipment login method, device and system |
CN112328991A (en) * | 2020-11-06 | 2021-02-05 | 广州朗国电子科技有限公司 | Cross-system single sign-on method based on face recognition and storage medium |
CN112364334A (en) * | 2020-11-09 | 2021-02-12 | 成都卫士通信息产业股份有限公司 | Single sign-on method and device, electronic equipment and storage medium |
CN112487390A (en) * | 2020-11-27 | 2021-03-12 | 网宿科技股份有限公司 | Micro-service switching method and system |
CN112685719A (en) * | 2020-12-29 | 2021-04-20 | 武汉联影医疗科技有限公司 | Single sign-on method, device, system, computer equipment and storage medium |
CN113055371A (en) * | 2021-03-09 | 2021-06-29 | 上海明略人工智能(集团)有限公司 | Login authentication method and system for Internet of things TCP (Transmission control protocol) equipment |
CN113536250A (en) * | 2021-06-02 | 2021-10-22 | 上海硬通网络科技有限公司 | Token generation method, login verification method and related equipment |
US11159512B1 (en) | 2020-05-21 | 2021-10-26 | Citrix Systems, Ine. | Cross device single sign-on |
CN113569274A (en) * | 2021-06-07 | 2021-10-29 | 飞友科技有限公司 | Registration-login-free form filling method and device |
CN114143053A (en) * | 2021-11-24 | 2022-03-04 | 国云科技股份有限公司 | Third-party service login method and device, terminal equipment and storage medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080059804A1 (en) * | 2006-08-22 | 2008-03-06 | Interdigital Technology Corporation | Method and apparatus for providing trusted single sign-on access to applications and internet-based services |
CN102111410A (en) * | 2011-01-13 | 2011-06-29 | 中国科学院软件研究所 | Agent-based single sign on (SSO) method and system |
CN102624720A (en) * | 2012-03-02 | 2012-08-01 | 华为技术有限公司 | Method, device and system for identity authentication |
CN103188248A (en) * | 2011-12-31 | 2013-07-03 | 卓望数码技术(深圳)有限公司 | Identity authentication system and method based on single sign-on |
CN104378376A (en) * | 2014-11-18 | 2015-02-25 | 深圳中兴网信科技有限公司 | SOA-based single-point login method, authentication server and browser |
-
2017
- 2017-02-16 CN CN201710084420.6A patent/CN107070880A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080059804A1 (en) * | 2006-08-22 | 2008-03-06 | Interdigital Technology Corporation | Method and apparatus for providing trusted single sign-on access to applications and internet-based services |
CN102111410A (en) * | 2011-01-13 | 2011-06-29 | 中国科学院软件研究所 | Agent-based single sign on (SSO) method and system |
CN103188248A (en) * | 2011-12-31 | 2013-07-03 | 卓望数码技术(深圳)有限公司 | Identity authentication system and method based on single sign-on |
CN102624720A (en) * | 2012-03-02 | 2012-08-01 | 华为技术有限公司 | Method, device and system for identity authentication |
CN104378376A (en) * | 2014-11-18 | 2015-02-25 | 深圳中兴网信科技有限公司 | SOA-based single-point login method, authentication server and browser |
Cited By (30)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107911363A (en) * | 2017-11-14 | 2018-04-13 | 福建中金在线信息科技有限公司 | User information store method, device and server |
WO2019095567A1 (en) * | 2017-11-15 | 2019-05-23 | 平安科技(深圳)有限公司 | Single sign-on verification device, method, and computer readable storage medium |
CN108769041A (en) * | 2018-06-06 | 2018-11-06 | 深圳壹账通智能科技有限公司 | Login method, system, computer equipment and storage medium |
CN109347864A (en) * | 2018-11-22 | 2019-02-15 | 杭州迪普科技股份有限公司 | Single-point logging method and device based on Virtual Private Network |
CN109802835A (en) * | 2019-01-25 | 2019-05-24 | 北京中电普华信息技术有限公司 | A kind of safety certifying method, system and API gateway |
CN109936579A (en) * | 2019-03-21 | 2019-06-25 | 广东瑞恩科技有限公司 | Single-point logging method, device, equipment and computer readable storage medium |
CN110247907A (en) * | 2019-06-10 | 2019-09-17 | 深兰科技(上海)有限公司 | A kind of multi-application platform access method, apparatus and system |
CN110430205A (en) * | 2019-08-09 | 2019-11-08 | 深圳前海微众银行股份有限公司 | Single-point logging method, device, equipment and computer readable storage medium |
CN110781482B (en) * | 2019-10-12 | 2021-06-18 | 广州酷旅旅行社有限公司 | Login method, login device, computer equipment and storage medium |
CN110781482A (en) * | 2019-10-12 | 2020-02-11 | 广州酷旅旅行社有限公司 | Login method, login device, computer equipment and storage medium |
CN110855640A (en) * | 2019-10-30 | 2020-02-28 | 北京市天元网络技术股份有限公司 | CAS-based login credential destruction method and device |
US11159512B1 (en) | 2020-05-21 | 2021-10-26 | Citrix Systems, Ine. | Cross device single sign-on |
US11743247B2 (en) | 2020-05-21 | 2023-08-29 | Citrix Systems, Inc. | Cross device single sign-on |
WO2021232347A1 (en) * | 2020-05-21 | 2021-11-25 | Citrix Systems, Inc. | Cross device single sign-on |
CN111949955A (en) * | 2020-07-30 | 2020-11-17 | 山东英信计算机技术有限公司 | Single sign-on method, device and equipment for web system and readable storage medium |
CN112087425A (en) * | 2020-07-30 | 2020-12-15 | 山东浪潮通软信息科技有限公司 | Login method, equipment and medium of ERP software system |
CN112087425B (en) * | 2020-07-30 | 2022-11-29 | 浪潮通用软件有限公司 | Login method, equipment and medium of ERP software system |
CN111949955B (en) * | 2020-07-30 | 2022-06-17 | 山东英信计算机技术有限公司 | Single sign-on method, device and equipment for web system and readable storage medium |
CN112104641A (en) * | 2020-09-11 | 2020-12-18 | 中国联合网络通信集团有限公司 | Login form conversion method and device, storage medium and electronic equipment |
CN112104641B (en) * | 2020-09-11 | 2022-07-29 | 中国联合网络通信集团有限公司 | Login form conversion method and device, storage medium and electronic equipment |
CN112231691A (en) * | 2020-09-29 | 2021-01-15 | 新华三信息安全技术有限公司 | Equipment login method, device and system |
CN112328991A (en) * | 2020-11-06 | 2021-02-05 | 广州朗国电子科技有限公司 | Cross-system single sign-on method based on face recognition and storage medium |
CN112364334A (en) * | 2020-11-09 | 2021-02-12 | 成都卫士通信息产业股份有限公司 | Single sign-on method and device, electronic equipment and storage medium |
CN112487390A (en) * | 2020-11-27 | 2021-03-12 | 网宿科技股份有限公司 | Micro-service switching method and system |
CN112685719A (en) * | 2020-12-29 | 2021-04-20 | 武汉联影医疗科技有限公司 | Single sign-on method, device, system, computer equipment and storage medium |
CN113055371A (en) * | 2021-03-09 | 2021-06-29 | 上海明略人工智能(集团)有限公司 | Login authentication method and system for Internet of things TCP (Transmission control protocol) equipment |
CN113536250A (en) * | 2021-06-02 | 2021-10-22 | 上海硬通网络科技有限公司 | Token generation method, login verification method and related equipment |
CN113536250B (en) * | 2021-06-02 | 2023-07-04 | 上海硬通网络科技有限公司 | Token generation method, login verification method and related equipment |
CN113569274A (en) * | 2021-06-07 | 2021-10-29 | 飞友科技有限公司 | Registration-login-free form filling method and device |
CN114143053A (en) * | 2021-11-24 | 2022-03-04 | 国云科技股份有限公司 | Third-party service login method and device, terminal equipment and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107070880A (en) | A kind of method and system of single-sign-on, a kind of authentication center's server | |
US20200162583A1 (en) | Secure client-server communication | |
CN105007280B (en) | A kind of application login method and device | |
CN104219316B (en) | A kind of call request processing method and processing device in distributed system | |
CN111062023B (en) | Method and device for realizing single sign-on of multi-application system | |
CN104113551B (en) | A kind of platform authorization method, platform service end and applications client and system | |
CN112997153B (en) | System and method for consistent execution policy across different SAAS applications via embedded browser | |
CN110351228A (en) | Remote entry method, device and system | |
CN106936853A (en) | A kind of system-oriented integrated cross-domain single login system and method | |
CN106470190A (en) | A kind of Web real-time communication platform authentication cut-in method and device | |
CN106487774A (en) | A kind of cloud host services authority control method, device and system | |
CN102469075A (en) | Integration authentication method based on WEB single sign on | |
CN106790272A (en) | A kind of system and method for single-sign-on, a kind of application server | |
CN105897757B (en) | Authorization identifying system and authorization and authentication method | |
CN107294916A (en) | Single-point logging method, single-sign-on terminal and single-node login system | |
CN111092910B (en) | Database security access method, device, equipment, system and readable storage medium | |
CN108234509A (en) | FIDO authenticators, Verification System and method based on TEE and PKI certificates | |
CN103747076B (en) | Cloud platform access method and device | |
CN110311926A (en) | A kind of application access control method, system and medium | |
CN106331003A (en) | Method and device for accessing application portal system on cloud desktop | |
CN102271136A (en) | Access control method and equipment under NAT (Network Address Translation) network environment | |
CN109726531A (en) | A kind of marketer terminal security control method based on block chain intelligence contract | |
CN109040069A (en) | A kind of dissemination method, delivery system and the access method of cloud application program | |
CN105354482A (en) | Single sign-on method and device | |
CN109962892A (en) | A kind of authentication method and client, server logging in application |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170818 |